- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 03 Dec 2019 06:17:32 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 3 December 2019 14:17:38 UTC
@ptoomey3 it's similar to the body being sent there if you use 307/308 (or 301/302 with a method that is not POST). In general the server receiving all the secrets could relay them if they want. The threat model here seems to be that the server is cooperating but has an XSS of sorts around its `Location` header handling. I suppose another solution here could be to introduce a new redirect mode, whereby you can only redirect within the origins provided by the request URL and yourself, or some such. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/944#issuecomment-561186954
Received on Tuesday, 3 December 2019 14:17:38 UTC